CFE-Investigation Certified Fraud Examiner (CFE) - Investigation Question and Answers

Both the Manual and CFE Prep guides emphasize that forensic imaging is essential because:

“Forensic analysis should not be performed on suspect devices directly because doing so can alter or damage digital evidence, and imaging… allows a fraud examiner to view and analyse… without altering the original data in any way”.

A forensic image is anexact, sector-by-sector copyof the drive. Thus, imaging preserves evidence integrity.

TheFraud Examiners Manualexplains that before obtaining or cleansing data, the first step in using data analysis is theplanning phase. This includesunderstanding the data, articulating objectives, and building a profile of potential frauds. Without this, examiners risk inefficient analysis and overlooking key fraud risks.

✅Answer: C. Build a profile of potential frauds

TheFraud Examiners Manualmakes clear:

“Fraud examiners should never offer opinions regarding guilt or innocence. Reports must be factual, objective, and free from speculation. Statements implying guilt are improper.”

Thus, while it is proper to note contradictions, evidence, or control weaknesses, it isimproper to declare the suspect guilty.

The Manual emphasizes that interviews should be held where the respondent feelscomfortable and secure, not threatened:

“When possible, the interview should be held in a venue where the subject will feel comfortable and secure”.

Holding it in an uncomfortable setting is counterproductive and contrary to best practices.

TheFraud Examiners Manualadvises:

“Do not slow down the interview process for note-taking. Instead, jot down key words … In general, it is better to err on the side of taking too few notes rather than too many.”

Therefore, the best practice isC.

“Internal sources will sometimes be the only resource for certain types of documents—such as… employee personnel files—unless the fraud examiner has the subject’s consent or a legal order”.

External searches may reveal addresses, assets, or competitor ownership, butpersonnel files require internal/non-public access.

TheFraud Examiners Manualstresses that fraud examiners mustnever promise unconditional confidentiality, because findings often must be disclosed to management, auditors, or authorities. They can only offer “qualified confidentiality” (best efforts to protect identity, but with necessary limits). Therefore, optionAis the most appropriate response.

Both the Manual and CFE Prep guides emphasize thatdeleted files are recoverable until overwritten. Once overwritten, the original data cannot be retrieved:

“Deleted files are recoverable until they are overwritten because data is not erased… until overwritten. So, deleted files that have been overwritten generally arenot recoverable.”

Other file types (deleted shortcuts, hidden files, etc.) can often be recovered, butoverwritten files are lost permanently.

Predictive analytics is defined as:

“the use of historical data combined with statistical, analytical, and machine learning techniques to create models that capture trends and produce forecasts”.

So, optionCbest describes predictive analytics.

“Even when a victim refers a fraud case for criminal prosecution, the government will usuallynot disclose the contents of nonpublic records with the victim during the investigation”.

Thus, optionDis most accurate.

TheFraud Examiners Manuallists required steps before seizing evidence:

Obtain legal authority.

Review privacy issues.

Ensure software/hardware are validated.

Document surroundings, inspect for traps, image drives, etc.

There isno requirementto assemble a team exclusively of outside experts.

Before seizing evidence in adigital forensic investigation, the2014 International Fraud Examiners Manualoutlines several critical steps:

Obtain legal authority / review orders:

“Before obtaining evidence, ensure that there is legal authority to seize evidence and review the data associated with the evidence. This might require obtaining a warrant in a criminal matter or ensuring that internal policies authorise seizure for an internal investigation.”

Determine privacy issues:

“Before the fraud examiner can seize evidence, he must take certain steps to help ensure that the evidence will be admissible: He must determine whether there are any privacy interests in the item(s) to be searched… In every case where it becomes necessary to seize a computer or other device capable of storing digital evidence, the investigator should consult with legal counsel.”

Use only trained professionals/software:

“It is important to allow a trained examiner to conduct a proper seizure and examination of digital evidence to help ensure that the information can be used in a legal proceeding.”

✅These are allvalid required steps.

In contrast, the idea that the team must be composedonly of outside digital forensic expertsisNOT a required step. The Manual stresses flexibility in team composition:

“Some organisations have their own in-house personnel… while others might prefer the use of an outside examiner. Sometimes retrieving digital data is as easy as searching the target computer’s hard drive, but other times retrieval requires a thorough knowledge of computers.”

Thus, requiringonly outside expertsis not a standard step, since investigations may useinternal, external, or a mixof specialists depending on the situation.

The2014 International Fraud Examiners Manualexplains:

“Often, the most important evidence exists only in the form of volatile data (e.g., RAM)… If the evidence that a formally trained computer investigator needs to collect exists only in the form of volatile data stored in volatile computer memory such as RAM, and the data is expected to disappear when the computer is shut down, he should collect the data live from the suspect computer.”

Also,

“If the computer is off, leave it off… Booting up a system can alter its files… Accordingly, turning a system on could damage and taint any evidence.”

Thus, themost accurate statementisD— live data collection may be performed directly if volatile data is required.

Explanation with Extracts= Pretexting is:

“The act of impersonating someone else or making false or misleading statements to obtain information from financial institutions. Several jurisdictions have prohibited pretexting against financial institutions”.Thus, falsely claiming to be the spouse constitutes illegal pretexting.

When preparing for interviews, fraud examiners should avoid scripting detailed questions. Instead, they prepare notes of key points to cover.

From the Fraud Examiners Manual:

“Whenever possible, do not prepare a list of predetermined questions to ask the subject. The interview should flow freely. The interviewer might, however, want to develop alist of key points to coverduring the interview”.

Therefore, the best preparation method is to note key points instead of detailed questions.

The recommended questioning order is:

“As a general rule, questioning should proceed from thegeneral to the specific; that is, it is best to seek general information before seeking details”.

This ensures the respondent provides a free narrative before narrowing down to specifics.

Best practice is to conduct interviewsindividually. The Manual states:

“When conducting interviews, witnesses should beinterviewed separately. Interviewing multiple witnesses together risks contamination of testimony and reduced reliability of responses”.

Explanation with Extracts: In interviews, deceptive subjects often stall to gain time to construct plausible responses. TheCFE Prep - Investigationsnotes that deceptive interviewees may ask for questions to be repeated or otherwise delay in order to think of what to say.

TheFraud Examiners Manualstates:

“If a business or individual constructs a new building or makes improvements to an existing building, there should be a building permit on file with the local building authority. In many cases, the person applying for permits will be the owner or someone traceable to the owner.”

CFE Prepsupports this:

“Building permit records… are often required before most businesses can open… and often list the owner or someone traceable to the owner.”

Thus,building permit recordsare most likely to help identify the restaurant’s owner.

The2014 Fraud Examiners ManualandCFE Prepexplain:

“Closing questions seek to close the interview positively. In routine interviews, closing questions serve the following purposes: reconfirm facts, gather additional facts, and conclude the interview in a manner required to maintain goodwill.”

Thus, the correct answer isA.

TheFraud Examiners Manualstresses confidentiality:

“To preserve confidentiality, investigators should avoid transmitting confidential information by email or other electronic means whenever possible, as these are susceptible to interception or unauthorized access.”

Suspending employees or blanket bans on discussion are not best practices. Confidentiality is preserved primarily by secure communication and controlled access to information.

The organizational filings with the government of the jurisdiction in which the company is incorporated

Explanation: Organizational filings (e.g., articles of incorporation) are generally public records and includeownership information, initial shareholders, and the location of the principal office.

Fraud examination reports are not written only for internal use. The2014 International Fraud Examiners Manualclearly emphasizes:

“When drafting a report, fraud examiners must consider who might end up reading it. Fraud examiners should keep in mind that the fraud examination report will be read by the general public and adverse parties. Under no circumstances should the fraud examiner prepare a communication with the idea that the information will not be disclosed to adverse third parties. Fraud examiners should draft their reports with this caveat in mind.”

The manual further specifies the wide range of potential readers:

*“There are many individuals and groups that might end up reading a fraud examination report, including the following parties:

Company insiders (managers, board of directors, owners, investors, etc.)

Attorneys (legal counsel, prosecutors, regulators, and defense counsel)

Defendants and witnesses

Press and media outlets

Judges or juries”*

This aligns with theCFE Prep - Investigationsstudy guide, which also confirms:

“There are many parties that might read a fraud examination report, including company insiders, attorneys, defendants and witnesses, press and media outlets, and judges or juries.”

📌Interpretation:

The mediamay access the report through litigation disclosures or leaks.

Opposing legal counselwill review the report during discovery or trial.

Investors and owners(company insiders) are primary stakeholders.

Thus, the only correct choice isD. All of the above, because fraud examination reports must be written withall possible audiences in mind, ensuring accuracy, clarity, impartiality, and professionalism to withstand scrutiny from multiple directions.

The calibration (or norming) process in interviews is meant to establish a baseline of the subject’s normal verbal and nonverbal behavior. This is done by askingnoncritical background questionsso that later deviations can be more reliably identified.

From the CFE Prep guide:

“The proper way an interviewer should start the calibration (norming) of a witness is through the use of:Noncritical questions on background information.… Examples of noncritical questions include ‘When did you start with the company?’ and ‘How long is your commute?’”.

Thus, the correct answer isD. “How many jobs have you had before this one?”since it is a nonthreatening background question.

Best practices emphasize separation:

“Interviews should be conducted one-on-one to reduce the possibility of collusion, contamination, or intimidation of witnesses” (Fraud Examiners Manual – Interviewing Guidelines).This ensures independent and uncontaminated statements.

The best practices for signed statements include:

Adding omitted facts as anaddendum.

Preparingseparate statements for unrelated offenses.

Havingwitnesses to the signing.

But:

“The signed statement should be reduced to a short and concise written statement. The interviewer should prepare the statement and present it to the confessor for his signature” .

Thus, requiring the suspect to handwrite the entire statement isnot a best practice.

“Once a denial is uttered, it becomes extremely difficult for the accused to change his response, because doing so would be an admission that he lied. Therefore, the interviewer must prevent an outright denial, thereby making it easier for the subject to confess”.

“One of the most effective techniques to stop or interrupt a denial is through a delaying tactic… the interviewer should attempt to delay the outright denial; he should not argue with the accused”.

Thus, Charles should interrupt with a delaying tactic.

Thecorrect answeris:Whether recording is legal depends onconsent laws— so the most helpful question is effectively:“Is consent required from one or all parties to record this conversation?”

Among the provided choices, theclosest matchisNOT listed explicitly. But based on the ACFE manuals, the correct interpretation is that none of the technical details (audio/video, file format, time, duration) matter —only the legal consent requirement matters.

Complete Detailed Explanation with Exact Extracts from Fraud Examiner (CFE) - Investigation Documents: =

The2014 International Fraud Examiners Manualstates:

“In some circumstances, recording an interview might be illegal. Some jurisdictions limit an employer’s right to record employee interviews during an investigation. In fact, in some jurisdictions, audio recording an interview is permitted only with the consent of all parties to the communication. Thus, fraud examiners should always consult with an attorney when deciding whether to record an interview.”

It further emphasizes:

“A telephone recording consent form stipulates where, when, and with whom telephone conversations can be recorded… Be cautioned that the form alone does not make the conduct of recording a telephone conversation illegal or legal.”

📌Interpretation:

The legality of recording has nothing to do with:

Audio vs video(A)

Digital file format(B)

Work hours(C)

Duration(D)

Instead, it dependsentirely on jurisdictional consent laws(one-party vs all-party consent).

Guidance on reports:

“A fraud examination report should be accurate, clear, and impartial. The fraud examiner should avoid technical jargon where possible and write in plain language so that readers without specialized knowledge can understand”.

Reports should only include relevant, factual findings—not every detail or opinion.

So, the most accurate statement is that jargon should be avoided.

Explanation: After alibis are diffused, suspects may become quiet, withdrawn, or even cry. This often indicates they are considering confession. At this point, the interviewer should present analternative question, forcing a choice between two answers that both imply guilt, thus leading toward a benchmark admission.

Signs of stress (e.g., shallow breathing, stuttering, shifting posture) do not automatically equal deception. TheFraud Examiners Manualstates:

“Signs of stress do not always mean a subject is lying. An honest subject might feel stress simply by being questioned. Conclusions must be based on clusters of behavior and corroborating evidence, not a single indicator”.

The Fraud Examiners Manual states that admission-seeking interviews should avoid yes/no questions like“Did you steal the money?”because they encourage denials. Instead, the question should be phrased as if guilt has already been established. The Manual explicitly warns:

“The accusation should be made in the form of a statement; it should not be made in the form of a question… Avoid emotive words such as steal, fraud, and crime… Example:‘It is not so much a question of what you did, but why you did it.’”

Thus, the most effective admission-seeking phrasing is:“Why did you take the money?”because it presumes involvement and encourages explanation rather than denial.

According toCFE Prep – Investigations:

“In most jurisdictions, income tax records are not public records and cannot be accessed for pre-employment purposes”.

Common public sources include court, property, licensing, and utility records.Thus, searching income tax filings isnota common use of public sources.

Credit reports can sometimes be obtained legally if properconsentor a recognized legal basis (such as employment background checks, extension of credit, or legal proceedings) exists. The Manual notes:

“Access to personal credit data may be permitted when theindividual has given consentor when required for employment, credit, or legal reasons”.

Thus, it isnot truethat credit data can never be obtained—circumstances exist where it can be done lawfully.

TheFraud Examiners Manualexplains:

“Textual analytics is a method of using software to extract usable information from unstructured text data… it cancategorise data to reveal patterns, sentiments, and relationships indicative of fraud”.

This is the key reason fraud examiners analyze textual/unstructured data.

In admission-seeking interviews, one rationalization technique is todepersonalize the victim(e.g., shifting the perception so the harm was against a company, not individuals). The example in the question—“It isn’t like you took something from a friend or neighbor”—is exactly this technique.

Court records are frequently used in fraud investigations. Both the Prep Guide and the Manual agree thatthe court clerk’s office (court authorities) is the original and most reliable sourceof certified and accurate records.

Although commercial services and online databases exist, the manuals emphasize that reliability and certification are best ensured by going directly to the court where the case was filed.

Thus, the statement isTrue.

CFE Prepclarifies entrapment:

“Entrapment occurs when law enforcement induces a person to commit a crime that he is not predisposed to commit… It is imperative that adequate predication exists before the operation is commenced. For example, if the officer received a reliable tip, that could serve as adequate predication.”

Here, the officer acted on a reliable tip, so the entrapment claim would fail.

From the2014 International Fraud Examiners Manual, under the section related to tracing financial transactions, specifically tracing the disposition of loan proceeds, the following objectives of tracing activities are explicitly outlined:

“Tracing the disposition of loan proceeds can help fraud examiners:

Determine whether loan proceeds were deposited into hidden or unknown accounts

Determine whether loan proceeds were used to pay off other loans

Identify the involvement of previously unknown individuals (potential witnesses)

Determine whether payments were made from hidden accounts

Identify undisclosed related-party transactions”

There isno mentionthat tracing loan proceeds can uncoverprevious civil offensescommitted by the subject. Civil offenses refer to non-criminal violations (e.g., breach of contract, torts), which tracing offinancial transactions like loan proceedsis not directly designed to uncover.

This isnot a recognized purposeof tracing as taught in the CFE Investigation section. The core objectives revolve around uncovering hidden assets, hidden accounts, payments, and potential witnesses —not prior legal infractions.

Therefore, thecorrect answer is A, as it is the only option that isNOT trueaccording to official CFE investigation materials.

TheCFE Prep – Investigationsnotes:

“Court records are best obtained from the jurisdiction in which they were filed… The most accurate records are maintained by the court of original jurisdiction, not global or aggregated databases.”

Thus, the best place for Sam is thelocal court of jurisdiction, not a global database.

According to theCFE Prep - Investigationsstudy guide:

“It is recommended that any witnesses who are considered potentially volatile be interviewed without advance notice. Surprise should be employed in any interview that is considered potentially volatile. In many instances, the potentially volatile respondent is unaware that he is going to be questioned, and will therefore be unprepared. If the interview is not conducted by surprise, the interviewer runs the risk of the respondent not showing up, showing up with a witness, or being present with counsel. A target’s friends, relatives, and romantic interests often make for a difficult interview. They perceive that the fraud examiner is deliberately targeting someone close to them.”

📌Interpretation for this scenario:

Brianna is described asvery protective of her boyfriend, making her a potentiallyvolatile witness.

Best practice is to avoid giving heradvance notice(which might increase hostility, resentment, or allow preparation).

Conducting the interviewwith little or no noticereduces the risk of interference, ensures she is unprepared, and prevents her from appearing with legal counsel or allies.

TheCFE Prep – Investigationsstates:

“If a fraud examiner gets a verbal confession from the fraudster, it does not matter whether the fraudster claims his conduct was an accident. The following items of information should be obtained … admission that the accused knew the conduct was wrong, facts known only to the confessor, the accused’s motive, approximate dates, involvement of others, physical evidence, and disposition of illicit income.”

Thus, the examiner doesnotneed a statement about accident.

TheFraud Examiners Manualwarns against phrasing admissions as direct questions using emotive terms:

“The admission-seeking interview begins with a direct accusation… The accusation should be phrased as though the accused’s guilt has already been established. Emotive words such as steal, fraud, and crime should be avoided… Wrong: ‘Did you do this?’”.

Thus, phrasing the question as“Did you steal the money?”is least effective.

Limitations of online public record searches include:

Need to search multiple jurisdictions.

Records are often only abstracts.

Information must be verified for accuracy.There isno mentionthat online record vendors are “difficult to find.” In fact, many such vendors exist.

TheFraud Examiners Manualstates:

“The primary concern when analysing digital evidence is to maintain the integrity of the data at all times. Fraud examiners must be careful with computer equipment because a careless investigator might inadvertently alter important evidence”.

Examiners must look for both inculpatory and exculpatory evidence.

“As a general rule, questioning should proceed from the general to the specific; it is best to seek general information before details. A variation… is to begin with known information and work towards unknown areas”【9:2014 International Fraud Examiners Manual.pdf†L39-L51】.

ï‚·Random order isnot recommendedand breaks the logical flow.

Detailed Explanation with Extracts= The Fraud Examiners Manual states:

“When reporting the results of a fraud examination, it is best to include copies (not originals) of important documents in the formal report”.

Originals should be safeguarded separately for evidence; reports should use copies.

Therefore, the statement is true.

The2014 International Fraud Examiners Manualdefines:

“Fraud examination is a methodology of resolving signs or allegations of fraud from inception to disposition. The fraud examination methodology establishes a uniform, legal process for resolving signs or allegations of fraud on a timely basis.”

Similarly,CFE Prep – Investigationsconfirms:

“The term fraud examination refers to a process of resolving allegations of fraud from inception to disposition, and it is the primary function of the anti-fraud professional.”

Thus, the correct answer isD.

TheInternet archives(e.g., the Wayback Machine at archive.org) allow fraud examiners to retrieve prior versions of web pages, including deleted content such as company statements.

✅Answer: C. The internet archives